一种混合式BT流量实时检测方法

本文针对BitTorrent共享文件类P2P应用,提出了一种混合式的流量检测方法。该方法由三个子方法构成,分别针对BitTorrent流量中的明文流、密文流和信令流进行检测,并预知即将发生的BitTorrent流量。实验结果表明,该方法的召回率、准确率和实时性,均优于目前实时性最好的几种机器学习方法。     

基于信令分析的BT流量预识别方法

P2P（Peer-to-Peer）系统在内容共享、即时通信、流媒体等领域获得了广泛应用。然而,P2P流量消耗了大部分网络带宽,造成网络拥堵,实现对P2P流量的有效识别和管理成为了一个十分热门的话题。针对BT的信令协议,分析了从Tracker服务器、DHT网络及通过PEX协议,获取节点列表的过程,提出通过相应报文中节点列表的解析,来达到BT流量预识别的方法。该方法能准确预知BT数据流的发生,较准确地对BT流量进行识别,并且有效减少系统开销。     

P2P流实时识别技术研究

分析了P2P流识别技术。为了提高P2P流识别的实时性,提出了基于实时属性集分类的P2P流识别方法。测试结果表明,该方法在不影响P2P流量检测精度的前提下缩短了检测时间。     

一种P2P流量识别方法的研究

本文先介绍了目前主流的P2P流量识别方法及其优缺点,通过实际捕包分析了BT协议的交互过程及特点。分析选取流量特征中的平均包长度、流持续时间、上下行流量包数比、目的端口等4个特征,结合支持向量机方法对网络流量的进行识别。实验结果显示,该方法能够有效地检测网络流量中的P2P流量。     

基于MSE协议特征的BT加密流量识别方法

P2P（Peer-to-Peer）系统在文件共享、协同计算、流媒体等领域获得了广泛应用。随着P2P技术的发展,越来越多的P2P应用对数据进行加密传输,加大了对其流量的识别难度。通过对MSE（Message Stream Encryption）协议特征的分析,提出了还原MSE协议消息流,实现BT（BitTorrent）加密流量识别的方法。修改了开源BT客户端Vuze,利用其收集的真实BT流量信息来检验本方法,结果表明该方法与现有的DPI（deep packet inspection）技术结合,对网络中BT流量进行识别,具有较高的召回率和准确率,同时保持了较低的误报率。     

IPV6环境下的分布式P2P流行为分析系统

针对IPV6网络中P2P流量管理的需求,设计了一种基于IPV6的分布式P2P流行为分析系统。该系统的包捕获模块采用分布式部署方式,能实时采集来自于多个网络监测点的流量并进行汇总分析。通过实验对比,系统对HASH模块的输入组合进行优化,解决了IPV6环境下系统建流和维护流状态信息的效率问题。利用该系统在真实IPV6网络环境中对BT流行为特征进行测量,取得了相关实验分析结果。     

BT流量实时检测与控制技术研究

以BT为代表的P2P应用流量已占据Internet网络流量的70%以上,企业的关键应用得不到带宽保证.分析BT协议的工作原理、流量特征和识别方法,提出基于TCP丢包的BT流量的实时检测和控制方法,有效地控制了BT流量.     

基于端点特征的P2P流媒体识别方法

P2P流媒体流量中的控制流与数据流,由于统计特征差异较大,致使DFI(深度流检测)方法识别其效果不佳。借鉴DFI的思想,提出一种基于端点特征识别P2P流媒体流量的方法。该方法针对网络端点,提取了六个有效特征,并结合机器学习的方法识别P2P流媒体流量。实验结果表明,该方法比DFI识别的整体准确率要高,且可以用于P2P流媒体的在线识别。     

基于ABV的BT流量识别与分类

基于P2P技术的BitTorrent（BT）应用消耗了大量的网络带宽，影响了网络中关键业务的正常运行。通过对BT报文的内容研究，正确地识别BT流量。并基于ABV算法提出了一种高效率的BT流量分类方法，进而可以根据约定的控制规则实现对BT流量的有效控制。通过实验验证了这种BT流量识别和分类方法的有效性与正确性。     

一种减少网间P2P流量的Peer选择算法

为合理引导对等网络(P2P)的流量,减少关键位置的带宽占用,该文以常用P2P软件BitTorrent(BT)为例,提出一种基于片段融合度的peer选择算法,使得在BT下载效率降低很少的同时,减少了BT流量。通过建模与分析,证明该算法可以大大减少P2P的网间流量。     

基于ABV的BT流量识别与分类

基于P2P技术的BT应用为人们提供了高效率的网络传输,同时这些应用也消耗了大量的网络带宽.从网络运营的层面来看,要保障网络的正常运行,需要有效地管理和控制不同类别的网络流量,并分配各种网络应用合理的带宽,特别要保证关键业务所需的带宽不会受到BT应用的影响.基于ABV算法提出了一种高效率的BT流量识别与分类方法,通过BT报文的内容分析,正确地识别和分类BT流量,进而可以根据约定的控制规则实现对BT流量的有效控制.通过实验验证了这种BT流量识别和分类方法的有效性和正确性.     

应用于高速网络的基于报文采样和应用签名的BitTorrent流量识别算法

在高速网络上进行P2P流量识别具有极大的困难,因为基于端口号的方法已经不再准确,而基于应用签名的方法没有足够高的处理效率.提出了应用于高速网络的基于报文采样和应用签名的BitTorrent流量识别算法.建立了误检率和漏检率模型来分析报文采样率和签名率对识别准确度的作用,并指导应用签名和采样率的选择.通过开发流状态判别预处理器,在Snort平台上实现了该流量识别算法.实验结果表明该流量识别算法处理效率和准确度都是令人满意的,能应用于高速网络环境.在普通个人计算机上,对采样报文的处理效率在800Mbps以上.将该方法应用于报文处理,当采样率为0.5时漏检率为0.6%,当采样率为0.1时漏检率为5.9%,当采样率为0.05时漏检率为10.5%.将该方法应用于流数据分析,当采样率为0.5时漏检率为0.06%,当采样率为0.1时漏检率为0.33%,当采样率为0.05时漏检率为1.1%.该方法展现了优秀的误检性能,没有任何报文被误检.实验结果也表明误检率和漏检率模型是非常准确的.     

Profiling and identification of P2P traffic

Accurate identification of network applications is important for many network activities. The traditional port-based technique has become much less effective since many new applications no longer use well-known fixed port numbers. In this paper, we propose a novel profile-based approach to identifying traffic flows belonging to the target application. In contrast to the method used in previous studies, of classifying traffic based on statistics of individual flows, we build behavioral profiles of the target application, which describe dominant patterns in the application. Based on the behavior profiles, a two-level matching method is used to identify new traffic. We first determine whether a host participates in the target application by comparing its behavior with the profiles. Subsequently, we compare each flow of the host with those patterns in the application profiles to determine which flows belong to this application. We demonstrate the effectiveness of our method on-campus traffic traces. Our results show that one can identify popular P2P applications with very high accuracy.     

网络背景流量的分类与识别研究综述

互联网流量分类是识别网络应用和分类相应流量的过程,这被认为是现代网络管理和安全系统中最基本的功能。与应用相关的流量分类是网络安全的基础技术。传统的流量分类方法包括基于端口的预测方法和基于有效载荷的深度检测方法。在目前的网络环境下,传统的方法存在一些实际问题,如动态端口和加密应用,因此采用基于流量统计特征的机器学习（ML）技术来进行流量分类识别。机器学习可以利用提供的流量数据进行集中自动搜索,并描述有用的结构模式,这有助于智能地进行流量分类。起初使用朴素贝叶斯方法进行网络流量分类的识别和分类,对特定流量进行实验时,表现较好,准确度可达90%以上,但对点对点传输网络流量（P2P）等流量识别准确度仅能达到50%左右。然后有使用支持向量机（SVM）和神经网络（NN）等方法,神经网络方法使整体网络流量的分类准确度能达到80%以上。多项研究结果表明,对于多种机器学习方法的使用和后续的改进,很好地提高了流量分类的准确性。     

Online hybrid traffic classifier for Peer-to-Peer systems based on network processors

It is estimated that 70% or more of broadband bandwidth is consumed by transmitting music, games, video and other content through Peer-to-Peer (P2P) clients. In order to detect, identify, and manage P2P traffic, some port, payload and transport layer feature based methods were proposed. Most of them were applied to offline traffic classification mainly due to the performance reason. In this paper, a network processors (NPs) based online hybrid traffic classifier is proposed. The designed hardware classifier is able to classify P2P traffic based on the static characteristic namely on line speed, and the Flexible Neural Tree(FNT) based software classifier helps learning and selecting P2P traffic attributes from the statistical characteristics of the P2P traffic. Experiment results illustrate that the hybrid classifier performs well for online classification of P2P traffic from gigabit network. The proposed framework also depicts good expansion capabilities to add new P2P features and to adapt to new P2P applications online.     

A generalizable dynamic flow pairing method for traffic classification

The goal of network traffic classification is to identify the protocols or types of protocols in the network traffic. In particular, the identification of network traffic with high resource consumption, such as peer-to-peer (P2P) traffic, represents a great concern for Internet Service Providers (ISP) and network managers. Most current flow-based classification approaches report high accuracy without paying attention to the generalization ability of the classifier. However, without this ability, a classifier may not be suitable for on-line classification. In this paper, a number of experiments on real traffic help to elucidate the reason for this lack of generalization. It is also shown that one way to attain the generalization ability is by using dynamic classifiers. From these results, a dynamic classification approach based on the pairing of flows according to a similarity criterion is proposed. The pairing method is not a classifier by itself. Rather, its goal is to determine in a fast way that two given flows are similar enough to conclude they correspond to the same protocol. Combining this method with a classifier, most of the flows do not need to be explicitly evaluated by the later, so that the computational overhead is reduced without a significant reduction in accuracy. In this paper, as a case study, we explore complementing the pairing method with payload inspection. In the experiments performed, the pairing approach generalizes well to traffic obtained in different conditions and scenarios than that used for calibration. Moreover, a high portion of the traffic unclassified by payload inspection is categorized with the pairing method.     

一种基于Netfilter的BitTorrent流量控制方法

BitTorrent是目前互联网上广泛使用的一种基于P2P的文件共享协议。它使用了动态端口,这给BitTorrent流量控制带来了很大的困难。该文在分析BitTorrent协议基础上,给出了一种基于应用层特征匹配的BitTorrent流量控制方法。首先提取出BitTorrent流的应用层特征,利用Linux的Netfilter/Iptables扩展架构实现数据包的应用层特征匹配。并利用TC实现对它的流量控制。     

Clustering botnet communication traffic based on n-gram feature selection

Recognized as one the most serious security threats on current Internet infrastructure, botnets can not only be implemented by existing well known applications, e.g. IRC, HTTP, or Peer-to-Peer, but also can be constructed by unknown or creative applications, which makes the botnet detection a challenging problem. Previous attempts for detecting botnets are mostly to examine traffic content for bot command on selected network links or by setting up honeypots. Traffic content, however, can be encrypted with the evolution of botnet, and as a result leading to a fail of content based detection approaches. In this paper, we address this issue and propose a new approach for detecting and clustering botnet traffic on large-scale network application communities, in which we first classify the network traffic into different applications by using traffic payload signatures, and then a novel decision tree model is used to classify those traffic to be unknown by the payload content (e.g. encrypted traffic) into known application communities where network traffic is clustered based on n-gram features selected and extracted from the content of network flows in order to differentiate the malicious botnet traffic created by bots from normal traffic generated by human beings on each specific application. We evaluate our approach with seven different traffic trace collected on three different network links and results show the proposed approach successfully detects two IRC botnet traffic traces with a high detection rate and an acceptable low false alarm rate.     

A novel self-learning architecture for p2p traffic classification in high speed networks

The popularity of a new generation of smart peer-to-peer applications has resulted in several new challenges for accurately classifying network traffic. In this paper, we propose a novel two-stage p2p traffic classifier, called Self-Learning Traffic Classifier (SLTC), that can accurately identify p2p traffic in high speed networks. The first stage classifies p2p traffic from the rest of the network traffic, and the second stage automatically extracts application payload signatures to accurately identify the p2p application that generated the p2p flow. For the first stage, we propose a fast, light-weight algorithm called Time Correlation Metric (TCM), that exploits the temporal correlation of flows to clearly separate peer-to-peer (p2p) traffic from the rest of the traffic. Using real network traces from tier-1 ISPs that are located in different continents, we show that the detection rate of TCM is consistently above 95% while always keeping the false positives at 0%. For the second stage, we use the LASER signature extraction algorithm [20] to accurately identify signatures of several known and unknown p2p protocols with very small false positive rate (<1%). Using our prototype on tier-1 ISP traces, we demonstrate that SLTC automatically learns signatures for more than 95% of both known and unknown traffic within 3 min.